Creating Cloud Security Policies that Work | The State of Security – tripwire.com

Now that the ongoing worldwide trend toward going digital has been accelerated by COVID-19, taking extra precautions to protect your organizations data, communications and information assets is more important than ever.

Of course, there are many traditional and emerging ways to protect and secure your business:

However, the chief focus of this discussion will be on protecting your organization by creating and implementing cloud security policies or by updating and fortifying existing ones.

This is essential because, as reported in CIO, nearly all enterprises (96%) use cloud computing in some capacity, with a strong majority (81%) now employing multi-cloud scenarios and strategies.

Cloud security refers broadly to measures undertaken to protect digital assets and data stored online via cloud services providers, says Investopedia, which notes that common threats to cloud security include data breaches, data loss, account hijacking, service traffic hijacking, insecure application program interfaces (APIs), poor choice of cloud storage providers and shared technology that can compromise cloud security.

The good news is that the major cloud computing providers (including the Big Three of Amazon, Google and Microsofts Azure) invest heavily in providing cloud security to their users. What is crucial to understand, however, is that even though cloud computing itself is considered to be relatively safe, significant risk does come into play in terms of how you, the user, implement safety protocols and precautions on your side of the cloud computing experience.

More on this in a moment, but first, here is a quick review from Cloud Security Alliance and Tripwire on some of the top cloud security challenges:

There are many complex explanations out there that aim to answer the question: Why do I need a cloud security policy? Heres a simplified answer in four bullet points:

Perhaps the most important reason to implement and update cloud security policies for your organization is connected to a central tenet of cloud security known as the shared responsibility model.

Operationally speaking, security is broken into two components:

Cloud service providers (CSPs) are responsible for this. As explained in this article on the shared responsibility model: CSPs have the responsibility to ensure that their infrastructure is free from vulnerabilities. Theyre also responsible for the physical security of the cloud service and ensuring that unauthorized physical access to the hardware or software is prevented, as well as disaster and incident response. And doing so doesnt come cheap. Microsoft reportedly spends over $1 billion each year on security protections, including research and development.

This is your responsibility. OK, perhaps not you personally, but definitely your organization. According to an informative Wall Street Journal article, Gartner Inc. estimates that up to 95% of cloud breaches occur due to human errors such as configuration mistakes, and the research firm expects this trend to continue.

Connecting with a cloud security provider has many advantages, but can also be an extremely complex proposition. According to the article Human Error Often the Culprit in Cloud Data Breaches, Amazon Web Services has a130-page instruction guidefor how to operate Amazon Simple Storage Service (Amazon S3). The cloud users responsibility necessitates ongoing vigilance around password security, internal and external sharing of data, third-party access and much more. For many companies and organizations, cloud security also comes with regulatory requirements (for example: information access rules set forth HIPAA, GDPR, Sarbanes-Oxley, etc.).

For obvious reasons, creating a cloud security policy is an extremely complex undertaking. This is not a situation where you task the new guy in IT with whipping something together by end of day Friday. Youll need to engage senior leadership, IT leadership and perhaps even outside consulting firepower to create a comprehensive policy that truly protects your organization from risk.

Here is an overview of some of the key elements of creating a cloud security policy from TechTarget:

Global IT services provider PhoenixNAP offers a simplified look at several key aspects that must be addressed in a cloud security policy. These include:

Here are a couple of other helpful resources when it comes to developing an effective cloud security policy:

Digital Guardian provides a list of 50 cloud-based security tips. Weve curated a few of the most useful ones to help with your cloud security policy journey:

Finally, being transparent about your rigorous cloud security policies and protocols can be important in providing added peace of mind to customers or other organizations with which you do business.

About the Author:Michelle Moore, Ph.D., is academic director and professor of practice for theUniversity of San Diegos innovative online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher and author with over two decades of private-sector and government experience as a cybersecurity expert.

Editors Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Go here to see the original:

Creating Cloud Security Policies that Work | The State of Security - tripwire.com